Linux Today: Linux News On Internet Time.

SunWorld: Forensics - Getting to the bottom of a security breach

Aug 06, 2000, 12:24 (0 Talkback[s])
(Other stories by Carole Fennelly)

"If a picture is worth a thousand words, then an example is worth a thousand pictures. This article describes the actions taken to investigate an actual security breach. To truly understand the technical details of an incident, it is best to see the actual data. The tricky part is how to present the data in a way that is understandable while protecting the privacy of the parties involved...."

"It all started when my friend Mac sent me an urgent email asking for help in tracking down a security incident (see Sidebar 1). Mac was covering for the lead admin on the affected site and was in a bit over his head. The abuse contact for his site had received a complaint that someone from the site was harassing people in an Internet relay chat room (see Sidebar 2). Apparently, BNC was being used to mask the real IP address of the offender."

"BNC (BouNCe) is an IRC proxy daemon written by James Seter. With it, users can bounce IRC traffic to mask the traffic's originating IP address."

"BNC isn't malicious code in and of itself. It can be used for quite legitimate purposes, such as protecting a PC by covering its real IP address with the address of a system better able to withstand an attack. While this is a form of security through obscurity, a little obscurity can be helpful, especially when facing DoS attacks."

Complete Story

Related Stories: